Privacy Policy

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data"), the purposes for which we process them, and the scope of such processing. This privacy policy applies to all personal data processing activities carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

Effective Date: November, 22 2024

Table of Contents

Preamble
Data Controller
Overview of Data Processing
Relevant Legal Basis
Security Measures
Disclosure and Transmission of Personal Data
International Data Transfers
Provision of the Online Offering and Web Hosting
Registration, Login, and User Account
Single Sign-On Login
Contacting Us
General Information on Data Storage and Deletion
Rights of Data Subjects
Use of Cookies
Newsletter and Electronic Notifications
Web Analytics, Monitoring, and Optimization
Online Marketing
Social Media Presences
Plug-ins and Embedded Functions as well as Content
Deletion of Data
Changes and Updates

Data Controller

GreenMates GmbH
Luisenstraße 53
10117 Berlin

E-Mail: info@greenmatesberlin.com

Overview of Data Processing

The following overview summarizes the types of data processed, the purposes of their processing, and identifies the affected individuals.

Types of Processed Data

Inventory data
Contact data
Content data
Usage data
Meta, communication, and procedural data

Categories of Affected Individuals

Communication partners
Users

Purposes of Processing

Communication
Direct marketing
Feedback
Provision of our online offering and user-friendliness
Public relations

Relevant Legal Basis

Relevant legal bases under the GDPR: Below, you will find an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations in your or our country of residence or establishment may also apply. If more specific legal bases are applicable in individual cases, we will inform you of these in the privacy policy.

Consent (Art. 6(1) sentence 1 lit. a) GDPR) - The data subject has given their consent to the processing of personal data concerning them for one or more specific purposes.
Legitimate Interests (Art. 6(1) sentence 1 lit. f) GDPR) - The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data.

National Data Protection Regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. This includes, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which provides specific regulations regarding the right to access, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and data transfer, as well as automated decision-making in individual cases, including profiling. Additionally, state data protection laws of the individual federal states may also apply.

Note on the Applicability of GDPR and Swiss DPA: These data protection notices serve to provide information under both the Swiss Data Protection Act (DSG) and the General Data Protection Regulation (GDPR). Therefore, please note that, for broader applicability and understanding, the terms of the GDPR are used. Specifically, instead of the terms "processing" of "personal data," "overriding interest," and "sensitive personal data" used in the Swiss DPA, the GDPR terms "processing" of "personal data," "legitimate interest," and "special categories of data" are used. However, the legal meaning of these terms continues to be determined according to the Swiss DPA within its scope of application.

Security Measures

We take appropriate technical and organizational measures, in accordance with legal requirements, to ensure a level of protection appropriate to the risk, considering the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as the associated access, input, transfer, availability, and separation of the data. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data, and responses to data security threats. We also take into account the protection of personal data during the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default.

Transfer and Disclosure of Personal Data

In the course of processing personal data, it may happen that this data is transferred to other entities, companies, legally independent organizational units, or individuals, or disclosed to them. Recipients of this data may include, for example, service providers tasked with IT duties or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to protect it.

International Data Transfers Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or if processing occurs in the context of using third-party services, or if data is disclosed or transferred to other persons, entities, or companies, this only occurs in compliance with legal requirements. If the data protection level in the third country has been recognized by an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers only take place if the data protection level is otherwise ensured, particularly through standard contractual clauses (Art. 46(2) lit. c) GDPR), explicit consent, or in the case of contractual or legally required transfers (Art. 49(1) GDPR). Furthermore, we will inform you about the legal basis for third-country transfers from the individual third-country providers, with adequacy decisions being the primary basis. Information about third-country transfers and existing adequacy decisions can be found on the European Commission's website: EU Commission Data Protection.

EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called "Data Privacy Framework" (DPF), the EU Commission has also recognized the data protection level for certain companies from the USA as secure within the framework of the adequacy decision dated July 10, 2023. You can find the list of certified companies and more information about the DPF on the US Department of Commerce website: Data Privacy Framework. We will inform you within the context of our data protection notices about which of our service providers are certified under the Data Privacy Framework.

Provision of the Online Offer and Web Hosting

To provide our online offer securely and efficiently, we use the services of one or more web hosting providers, from whose servers (or servers they manage) the online offer can be accessed. For these purposes, we may utilize infrastructure and platform services, computing capacity, storage space, and database services, as well as security and technical maintenance services.

Data processed in the context of providing the hosting offer can include all information about the users of our online offer that is generated during use and communication. This regularly includes the IP address, which is necessary to deliver the contents of the online offer to browsers, as well as all entries made within our online offer or from websites.

Email Sending and Hosting: The web hosting services we use also include sending, receiving, and storing emails. For these purposes, the addresses of the recipients and senders, as well as other information concerning the email dispatch (e.g., the involved providers) and the content of the respective emails, are processed. The aforementioned data may also be processed for SPAM detection purposes. Please note that emails are generally not sent in encrypted form over the internet. While emails are typically encrypted during transport, they are not encrypted on the servers from which they are sent and received (unless an end-to-end encryption method is used). Therefore, we cannot take responsibility for the transmission path of emails between the sender and the receipt on our server.

Collection of Access Data and Logfiles: We (or our web hosting provider) collect data about every access to the server (so-called server log files). Server log files can include the address and name of the retrieved websites and files, date and time of retrieval, transmitted data volumes, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider.

Server log files can be used for security purposes, for example, to avoid overloading the servers (especially in the case of misuse attacks, such as DDoS attacks), and to ensure server stability.

Content Delivery Network (CDN): We use a "Content Delivery Network" (CDN). A CDN is a service that helps deliver content from an online offer, particularly large media files such as graphics or program scripts, faster and more securely through regionally distributed servers connected via the internet.

Types of Data Processed: Content data (e.g., entries in online forms), usage data (e.g., visited web pages, interest in content, access times), meta/communication data (e.g., device information, IP addresses).

Affected Persons: Users (e.g., website visitors, users of online services).

Purposes of Processing: Content Delivery Network (CDN).

Legal Bases: Legitimate Interests (Art. 6(1) sentence 1 lit. f GDPR).

Services and Service Providers Used: Amazon Web Services (AWS): Web hosting and infrastructural services; service provider: Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, USA; website: AWS; privacy policy: AWS Privacy.

Registration, Login, and User Account

Users can create a user account. During registration, the necessary mandatory information is communicated to the users and processed for the purpose of providing the user account based on the fulfillment of contractual obligations. The data processed includes login information (such as name, password, and email address). The data entered during registration is used for the purpose of utilizing the user account and its intended purpose.

Users may be informed via email about activities related to their user account, such as technical changes. If users have canceled their user account, their data related to the user account will be deleted, subject to legal retention obligations. It is the responsibility of users to back up their data before the end of the contract. We are entitled to irreversibly delete all user data stored during the contract period.

As part of using our registration and login functions, as well as utilizing the user account, we store the IP address and the time of each user action. This storage is based on our legitimate interests as well as the users' interests in protection against misuse and unauthorized use. This data is not generally shared with third parties unless it is necessary to pursue our claims or there is a legal obligation to do so.

Types of Data Processed: Basic data (e.g., names, addresses), contact data (e.g., email, phone numbers), content data (e.g., entries in online forms), meta/communication data (e.g., device information, IP addresses).
Affected Persons: Users (e.g., website visitors, users of online services).
Purposes of Processing: Provision of contractual services and customer support, security measures, administration, and response to inquiries.
Legal Basis: Consent (Art. 6(1) sentence 1 lit. a GDPR), contract fulfillment and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Single Sign-On Login

"Single Sign-On" or "Single Sign-On Login" or "Single Sign-On Authentication" refers to procedures that allow users to log in to our online services using a user account from a Single Sign-On provider (e.g., a social network). Single Sign-On authentication requires users to be registered with the respective Single Sign-On provider and to enter the required login credentials in the designated online form or already be logged in with the Single Sign-On provider and confirm the Single Sign-On login via a button.

The authentication is done directly by the respective Single Sign-On provider. During such authentication, we receive a user ID with the information that the user is logged in under this user ID with the respective Single Sign-On provider and an ID that we cannot use for other purposes (a "User Handle"). Whether additional data is transmitted to us depends solely on the Single Sign-On procedure used, the data release settings chosen during authentication, and the data users have made available in their privacy or other settings of their user account with the Single Sign-On provider. Depending on the Single Sign-On provider and the choices made by users, different data may be involved, usually the email address and username. The password entered as part of the Single Sign-On process with the Single Sign-On provider is neither visible to us nor stored by us.

Users are advised that the information stored by us may automatically be synchronized with their user account at the Single Sign-On provider, though this is not always possible or actually happens. For example, if users change their email addresses, they must manually update them in their user account with us.

We may use the Single Sign-On login if agreed with users as part of or before fulfilling a contract, if users have been asked for consent, and otherwise based on our legitimate interests and the users' interests in an effective and secure login system.

If users decide they no longer wish to use the connection of their user account with the Single Sign-On provider for Single Sign-On, they must remove this link within their user account with the Single Sign-On provider. If users wish to delete their data with us, they must terminate their registration with us.

Facebook Single Sign-On:We are jointly responsible with Facebook Ireland Ltd. for the collection or receipt within a transmission (but not the further processing) of "Event Data" that Facebook collects or receives in the course of the Facebook Single Sign-On login procedures carried out on our online service for the following purposes: a) Displaying content advertising information that corresponds to the presumed interests of users; b) Delivering commercial and transactional messages (e.g., contacting users via Facebook Messenger); c) Improving ad delivery and personalizing features and content (e.g., improving the recognition of which content or advertising information is likely to match users' interests). We have entered into a special agreement with Facebook ("Controller Addendum," Facebook Controller Addendum) that specifically regulates the security measures Facebook must observe (Data Security Terms) and in which Facebook has agreed to fulfill the rights of the affected individuals (i.e., users can, for example, direct information or deletion requests directly to Facebook). Note: When Facebook provides us with metrics, analyses, and reports (which are aggregated, meaning they do not include individual user information and are anonymous to us), this processing is not part of joint responsibility but is based on a data processing agreement ("Data Processing Terms," Facebook Data Processing Terms), the "Data Security Terms" (Facebook Data Security Terms), and in relation to processing in the USA, on the basis of standard contractual clauses ("Facebook-EU Data Transfer Addendum," Facebook EU Data Transfer Addendum). The rights of users (especially to information, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook.

Types of Data Processed: Basic data (e.g., names, addresses), contact data (e.g., email, phone numbers), event data (Facebook) ("Event Data" are data that can be transmitted to Facebook via Facebook Pixel (via apps or other means) by us and relate to people or their actions; these include information about visits to websites, interactions with content, features, installations of apps, purchases of products, etc.; event data is processed to create target groups for content and advertising information (Custom Audiences); event data does not include the actual content (such as written comments), login information, or contact information (i.e., names, email addresses, and phone numbers). Event data is deleted by Facebook after a maximum of two years, while the target groups created from it are deleted with the deletion of our Facebook account).
Affected Persons: Users (e.g., website visitors, users of online services).
Purposes of Processing: Provision of contractual services and customer support, login procedures.
Legal Basis: Consent (Art. 6(1) sentence 1 lit. a GDPR), contract fulfillment and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Services and Service Providers Used:

Facebook Single Sign-On: Authentication service; Service provider: Facebook, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; Website: Facebook; Privacy Policy: Facebook Privacy; Opt-Out: Facebook Ad Settings.
Google Single Sign-On: Authentication service; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: Google; Privacy Policy: Google Privacy; Opt-Out: Ad Display Settings: Google Ad Settings.
Apple Single Sign-On: Authentication service; Service provider: Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, Parent company: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA; Website: https://www.apple.com; Privacy policy: https://www.apple.com/de/privacy/; Opt-out option: Privacy and personalization settings: https://privacy.apple.com/.

Contacting Us

When you contact us (e.g., via contact form, email, phone, or social media), the information provided by the inquiring individuals will be processed as necessary to respond to their inquiries and any requested actions.

Responding to inquiries as part of contractual or pre-contractual relationships is done to fulfill our contractual obligations or to respond to (pre-)contractual inquiries, and otherwise based on legitimate interests in answering inquiries.

Types of Data Processed: Master data (e.g., names, addresses), contact details (e.g., email, phone numbers), content data (e.g., entries in online forms).
Affected Individuals: Communication partners.
Purposes of Processing: Handling contact inquiries and communication.
Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), legitimate interests (Art. 6(1)(1)(f) GDPR).

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal requirements as soon as the underlying consent is revoked or there is no longer a legal basis for processing. This applies in cases where the original purpose of processing ceases to exist, or the data is no longer needed. Exceptions to this rule occur when legal obligations or special interests require longer retention or archiving of the data.

Specifically, data that must be retained for commercial or tax reasons, or that is necessary for legal prosecution or to protect the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices include additional information on the retention and deletion of data specific to certain processing activities.

When multiple storage durations or deletion deadlines for a piece of data are indicated, the longest period is always applicable.

If a deadline does not explicitly start on a specific date and is at least one year long, it automatically begins at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships where data is stored, the triggering event is the time the termination becomes effective or any other end of the legal relationship.

Data no longer needed for the originally intended purpose but retained due to legal requirements or other reasons will only be processed for the reasons that justify its retention.

Further Information on Processing, Procedures, and Services:

Data Retention and Deletion: The following general retention periods apply under German law:

10 Years: Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, and other documents necessary to understand them, booking vouchers, and invoices (§ 147(3) in conjunction with (1) Nos. 1, 4, and 4a AO, § 14b(1) UStG, § 257(1) Nos. 1 and 4, (4) HGB).
6 Years: Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents relevant for taxation, such as hourly wage sheets, cost accounting sheets, calculation documents, price tags, as well as payroll documents unless they are already booking vouchers and cash register tapes (§ 147(3) in conjunction with (1) Nos. 2, 3, 5 AO, § 257(1) Nos. 2 and 3, (4) HGB).
3 Years: Data necessary to consider potential warranty and compensation claims or similar contractual claims and rights, as well as related inquiries, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Rights of the Affected Individuals

Rights of the Affected Individuals under the GDPR: As a data subject under the GDPR, you have various rights, particularly those arising from Articles 15 to 21 GDPR:

Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing; this also applies to profiling insofar as it is related to such direct marketing.
Right to Withdraw Consent: You have the right to withdraw consent at any time.
Right of Access: You have the right to request confirmation as to whether data concerning you is being processed and to request information about such data, as well as further information and a copy of the data in accordance with legal requirements.
Right to Rectification: You have the right, in accordance with legal requirements, to request the completion of incomplete data concerning you or the correction of incorrect data concerning you.
Right to Erasure and Restriction of Processing: You have the right, in accordance with legal requirements, to request the immediate deletion of data concerning you, or alternatively, in accordance with legal requirements, to request the restriction of the processing of your data.
Right to Data Portability: You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, or to request its transmission to another controller in accordance with legal requirements.
Right to Lodge a Complaint with a Supervisory Authority: You have the right, without prejudice to any other administrative or judicial remedy, to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or the place of the alleged infringement if you believe that the processing of personal data relating to you infringes the GDPR.

Use of Cookies

Cookies are small text files or other storage notes that store and retrieve information on end devices. For example, they can store the login status in a user account, the contents of a shopping cart in an e-shop, the accessed content, or the functions used in an online offering. Cookies can also be used for various purposes, such as ensuring the functionality, security, and convenience of online services, as well as analyzing visitor traffic.

Consent Information: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users unless it is not required by law. Consent is not necessary, especially when the storage and retrieval of information, including cookies, is essential for providing a telemedia service explicitly requested by the users (i.e., our online offering). The revocable consent is clearly communicated to users and includes information about the specific use of cookies.

Data Protection Legal Basis: The legal basis for processing personal data of users through cookies depends on whether we ask for their consent. If users agree, the legal basis is their given consent. Otherwise, the data processed via cookies is based on our legitimate interests (e.g., for the economic operation of our online offering and improving its usability) or, if necessary, to fulfill our contractual obligations when the use of cookies is required for this purpose. The purposes for which we use cookies are explained in this privacy policy or within the framework of our consent and processing procedures.

Storage Duration: The following types of cookies are distinguished regarding their storage duration:

Temporary Cookies (Session Cookies): These cookies are deleted at the latest after a user leaves an online offering and closes their end device (e.g., browser or mobile application).
Permanent Cookies: These cookies remain stored even after the end device is closed. For example, the login status can be saved, and preferred content can be displayed directly when the user revisits a website. User data collected via cookies may also be used for reach measurement. Unless we provide explicit information about the type and storage duration of cookies (e.g., during the consent process), users should assume that these cookies are permanent and that the storage duration can be up to two years.

General Information on Withdrawal and Objection (Opt-out): Users can withdraw their consent at any time and object to the processing following legal requirements, including through their browser’s privacy settings.

Processed Data Types: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
Affected Persons: Users (e.g., website visitors, users of online services).
Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).

Further Information on Processing, Procedures, and Services:

Processing of cookie data based on consent: We use a consent management solution that collects users' consent for the use of cookies or the procedures and providers mentioned within the consent management framework. This process is used to collect, record, manage, and revoke consent, particularly regarding the use of cookies and similar technologies for storing, reading, and processing information on users' devices. As part of this process, users' consent for the use of cookies and the associated processing of information, including the specific processing and providers mentioned in the consent management procedure, is obtained. Users also have the option to manage and revoke their consent. The consent declarations are stored to avoid repeated queries and to provide proof of consent in accordance with legal requirements. The storage occurs server-side and/or in a cookie (so-called opt-in cookie) or through similar technologies to assign the consent to a specific user or their device. Unless specific details regarding the providers of consent management services are provided, the following general information applies: The duration of the consent storage is up to two years. A pseudonymous user identifier is created, which is stored along with the time of consent, details about the scope of the consent (e.g., relevant categories of cookies and/or service providers), as well as information about the browser, system, and device used; Legal basis: Consent (Art. 6 Para. 1 Sentence 1 lit. a) GDPR).

Newsletter and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter referred to as "newsletter") only with the consent of the recipients or a legal basis. If the contents of the newsletter are explicitly stated during the signup process, they are decisive for user consent. Normally, providing your email address is sufficient to sign up for our newsletter. However, to offer a personalized service, we may ask for your name for personalized greetings in the newsletter or additional information if necessary for the newsletter’s purpose.

Double-Opt-In Procedure: Our newsletter subscription process generally follows a double-opt-in procedure. This means that after signing up, you will receive an email requesting you to confirm your subscription. This confirmation is necessary to ensure that no one can sign up using someone else's email address. Newsletter subscriptions are logged to be able to prove the registration process was conducted according to legal requirements. This includes storing the signup and confirmation times as well as the IP address. Any changes to your data stored with the email service provider are also logged.

Deletion and Restriction of Processing: We may retain unsubscribed email addresses based on our legitimate interests for up to three years before deleting them, to prove previously given consent. The processing of this data is limited to the purpose of potential defense against claims. A request for individual deletion is possible at any time, provided that the former existence of consent is confirmed simultaneously. If we are required to permanently observe objections, we reserve the right to store the email address solely for this purpose in a suppression list (so-called "blocklist").

The logging of the registration process is based on our legitimate interests to prove that it was conducted in compliance with the law. If we commission a service provider to send emails, this is done based on our legitimate interests in a secure and efficient sending system.

Legal Bases: The newsletter is sent based on the recipients' consent or, if consent is not required, based on our legitimate interests in direct marketing, provided that this is legally permitted, such as in the case of customer promotions. If we commission a service provider to send emails, this is based on our legitimate interests. The registration process is logged based on our legitimate interests to demonstrate that it was conducted legally.

Content:

Information about us, our services, promotions, and offers.

Processed Data Types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); Usage data (e.g., page views and visit duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
Affected Persons: Communication partners.
Purposes of Processing: Direct marketing (e.g., via email or postal mail).
Retention and Deletion: 3 years - Contractual claims (AT) (Data necessary to consider potential warranty and damage claims or similar contractual claims and rights, as well as to process related inquiries, based on previous business experience and common industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 1478, 1480 ABGB)). 10 years - Contractual claims (CH) (Data necessary to consider potential damage claims or similar contractual claims and rights, as well as to process related inquiries, based on previous business experience and common industry practices, are stored for the statutory limitation period of ten years, unless a shorter period of 5 years is applicable, which is relevant in certain cases (Art. 127, 130 OR)).
Legal Bases: Consent (Art. 6(1)(a) GDPR).
Opt-Out Option: You can unsubscribe from our newsletter at any time, i.e., revoke your consent or object to further receipt. A link to unsubscribe from the newsletter is provided at the end of each newsletter, or you can use one of the contact options mentioned above, preferably email, for this purpose.

Further Information on Processing, Procedures, and Services:

Measurement of Opening and Click Rates: The newsletters contain a so-called "web beacon," i.e., a pixel-sized file retrieved from our server or, if we use a mailing service provider, from their server when the newsletter is opened. This retrieval initially collects technical information such as browser details, your system, IP address, and the time of retrieval. This information is used to improve our newsletter based on the technical data or the target groups and their reading behavior, based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether and when newsletters are opened and which links are clicked. The information is assigned to individual newsletter recipients and stored in their profiles until deletion. These evaluations help us recognize our users' reading habits and tailor our content to them or send different content based on their interests. Unfortunately, it is not possible to revoke the performance measurement separately; in this case, the entire newsletter subscription must be canceled, or its receipt objected.

Legal Bases: Consent (Art. 6(1)(a) GDPR).

Used Services and Providers:

Mailchimp: Email marketing platform; Service provider: "Mailchimp" - Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA; Website: https://mailchimp.com; Privacy Policy: https://mailchimp.com/legal/privacy/.

Web Analytics, Monitoring, and Optimization

Web analytics, also referred to as "reach measurement," is used to evaluate the visitor traffic of our online offerings and may include pseudonymous values related to the behavior, interests, or demographic information of visitors, such as age or gender. With the help of reach measurement, we can, for example, determine when our online offerings, features, or content are most frequently used or are likely to encourage repeat visits. We can also identify which areas require optimization.

In addition to web analytics, we may also use testing procedures to optimize different versions of our online offerings or their components.

For these purposes, user profiles can be created and stored in a file (known as a "cookie") or similar methods with the same purpose can be utilized. These may include information such as viewed content, visited websites, used elements, technical details like the browser used, the computer system used, and usage times. If users have consented to the collection of their location data, this information may also be processed, depending on the provider.

User IP addresses are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear data of users (such as email addresses or names) is stored during web analytics, A/B testing, and optimization, but pseudonyms are used. This means that neither we nor the providers of the software used know the actual identity of the users but only the information stored in their profiles for the purposes of the respective procedures.

Legal Basis: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). We also refer you to the information on the use of cookies in this privacy policy.

Processed Data Types: Usage data (e.g., visited websites, interest in content, access times), meta-/communication data (e.g., device information, IP addresses).
Affected Individuals: Users (e.g., website visitors, users of online services).
Purposes of Processing: Reach measurement (e.g., access statistics, identification of recurring visitors), Tracking (e.g., interest-/behavior-based profiling, use of cookies), Conversion measurement (measuring the effectiveness of marketing measures), Profiling (creating user profiles)
Security Measures: IP masking (pseudonymization of the IP address).
Legal Basis: Consent (Art. 6 Para. 1 Sentence 1 lit. a GDPR), legitimate interests (Art. 6 Para. 1 Sentence 1 lit. f GDPR).

Services and Service Providers Used:

Google Analytics: Reach measurement and web analysis; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: Google Analytics; Privacy Policy: Google Privacy Policy.
Google Tag Manager: Google Tag Manager is a solution that allows us to manage website tags via an interface and integrate other services into our online offering (see further details in this privacy policy). The Tag Manager itself (which implements the tags) does not create user profiles or store cookies. Google only learns the user's IP address, which is necessary to run the Google Tag Manager. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: Google Tag Manager; Privacy Policy: Google Privacy Policy.

Online Marketing

We process personal data for online marketing purposes, which may include the marketing of advertising space or the display of advertising and other content (collectively referred to as "content") based on potential user interests and the measurement of their effectiveness.

For these purposes, user profiles are created and stored in a file (known as a "cookie") or similar methods are used, by which the relevant information for displaying the aforementioned content is stored. This information may include viewed content, visited websites, used online networks, as well as communication partners and technical details, such as the browser used, the computer system used, and usage times. If users have consented to the collection of their location data, this information may also be processed.

User IP addresses are also stored. However, we use available IP masking procedures (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear user data (such as email addresses or names) is stored during online marketing procedures, but pseudonyms are used. This means that neither we nor the providers of online marketing procedures know the actual identity of the users but only the information stored in their profiles.

The information in the profiles is usually stored in cookies or by similar methods. These cookies can later generally be read and analyzed for the purpose of displaying content on other websites that use the same online marketing procedure, as well as being supplemented with further data and stored on the server of the online marketing procedure provider.

In exceptional cases, clear data may be associated with the profiles. This occurs if users are members of a social network whose online marketing procedure we use and the network connects the profiles of the users with the aforementioned data. We ask that users consider that they may make additional agreements with the providers, e.g., by giving consent during registration.

We generally only receive access to aggregated information about the success of our advertisements. However, within the framework of so-called conversion measurements, we can check which of our online marketing procedures led to a so-called conversion, i.e., e.g., to a contract conclusion with us. Conversion measurement is used solely to analyze the success of our marketing measures.

Unless otherwise specified, please assume that used cookies are stored for a period of two years.

Processed Data Types: Usage data (e.g., visited websites, interest in content, access times), meta-/communication data (e.g., device information, IP addresses).
Affected Individuals: Users (e.g., website visitors, users of online services), prospects.
Purposes of Processing: Tracking (e.g., interest-/behavior-based profiling, use of cookies), Remarketing, Conversion measurement (measuring the effectiveness of marketing measures), Interest-based and behavior-based marketing, Profiling (creating user profiles), Reach measurement (e.g., access statistics, identification of recurring visitors)
Security Measures: IP masking (pseudonymization of the IP address).
Legal Basis: Consent (Art. 6 Para. 1 Sentence 1 lit. a GDPR), Legitimate Interests (Art. 6 Para. 1 Sentence 1 lit. f GDPR).
Opt-out Options: We refer to the privacy notices of the respective providers and the opt-out options provided by the providers (so-called "opt-out"). If no explicit opt-out option has been specified, you can disable cookies in your browser settings. However, this may limit the functionality of our online offerings. We also recommend the following opt-out options, which are offered comprehensively for specific regions: Europe: Your Online Choices, Canada: Your AdChoices,USA: About Ads,Cross-regional: About Ads Opt-Out

Services and Service Providers Used:

Google Tag Manager: Google Tag Manager is a solution that allows us to manage website tags via an interface and integrate other services into our online offering (see further details in this privacy policy). The Tag Manager itself (which implements the tags) does not create user profiles or store cookies. Google only learns the user's IP address, which is necessary to run the Google Tag Manager. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: Google Tag Manager; Privacy Policy: Google Privacy Policy.
Google Analytics: Online marketing and web analysis; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: Google Analytics; Privacy Policy: Google Privacy Policy; Opt-Out: Opt-out plugin: Google Opt-Out, Settings for ad display: Google Ad Settings.

Social Media Presences

We maintain online presences within social networks and process user data in this context to communicate with active users or to offer information about us.

Please note that user data may be processed outside the European Union, which could pose risks for users, such as difficulties in enforcing user rights.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, usage profiles may be created based on user behavior and interests, which may be used to display advertisements within and outside the networks that presumably match user interests. Therefore, cookies are usually stored on users' computers to track their usage behavior and interests. Data in usage profiles may also be stored independently of the devices used by the users (especially if they are members of the respective platforms and logged in there).

For a detailed presentation of the respective processing forms and opt-out options, please refer to the privacy policies and information provided by the operators of the respective networks.

In the case of information requests and the assertion of data subject rights, we also point out that these are most effectively asserted with the providers. Only they have access to the user data and can directly take appropriate measures and provide information. If you need assistance, you can still contact us.

Processed Data Types: Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or pictorial messages and posts and related information such as authorship or creation time); Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
Affected Persons: Users (e.g., website visitors, online service users).
Purposes of Processing: Communication; Feedback (e.g., collecting feedback via online forms); Public relations.
Retention and Deletion: Deletion as described in the section "General Information on Data Retention and Deletion."
Legal Bases: Legitimate Interests (Art. 6 Para. 1 Sentence 1 lit. f GDPR).

Further Information on Processing, Procedures, and Services:

Instagram: Social network allowing the sharing of photos and videos, commenting, favoriting posts, messaging, and subscribing to profiles and pages; Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate Interests (Art. 6 Para. 1 Sentence 1 lit. f GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for Third-Country Transfers: Data Privacy Framework (DPF).
LinkedIn: Social network - We, together with LinkedIn Ireland Unlimited Company, are responsible for collecting (but not further processing) data of visitors for the purpose of creating "Page Insights" (statistics) for our LinkedIn profiles. This data includes information about the types of content users view or interact with, their actions, and details about the devices used by the users (e.g., IP addresses, operating systems, browser type, language settings, cookie data) and information from user profiles such as job function, country, industry, hierarchical level, company size, and employment status. Data protection information for the processing of user data by LinkedIn can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy. We have concluded a specific agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum (the ‘Addendum’)", https://legal.linkedin.com/pages-joint-controller-addendum), which, among other things, regulates the security measures LinkedIn must observe and in which LinkedIn has committed to fulfilling data subject rights (i.e., users can direct information or deletion requests directly to LinkedIn). The rights of users (including access, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint responsibility is limited to the collection of data by and transmission to Ireland Unlimited Company, a company based in the EU. Further processing of the data is the sole responsibility of Ireland Unlimited Company, particularly regarding the transmission of data to the parent company LinkedIn Corporation in the USA; Service Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal Basis: Legitimate Interests (Art. 6 Para. 1 Sentence 1 lit. f GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Basis for Third-Country Transfers: Data Privacy Framework (DPF). Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Plug-ins and Embedded Features as well as Content

We integrate functional and content elements into our online offer, which are retrieved from the servers of their respective providers (referred to as "third parties"). These may include graphics, videos, or maps (collectively referred to as "content").

The integration always requires that the third-party providers of this content process the IP address of users, as they could not otherwise send the content to their browsers. The IP address is therefore necessary for displaying this content or functionality. We strive to use only those contents whose respective providers use the IP address solely for delivering the content. Third parties may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. These "pixel tags" can be used to analyze information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the users' devices and contain technical details about the browser and operating system, referring websites, visit times, and other details about the use of our online offer, but also be combined with information from other sources.

Notes on Legal Bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we also refer to the information on the use of cookies in this privacy policy.

Processed Data Types: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta-, Communication-, and Procedure data (e.g., IP addresses, time stamps, identification numbers, involved persons); Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or pictorial messages and posts and related information such as authorship or creation time).
Affected Persons: Users (e.g., website visitors, online service users).
Purposes of Processing: Provision of our online offer and user-friendliness.
Retention and Deletion: Deletion as described in the section "General Information on Data Retention and Deletion". Storage of cookies for up to 2 years (unless otherwise specified, cookies and similar storage methods may be stored on users' devices for a period of two years).
Legal Bases: Consent (Art. 6 Para. 1 Sentence 1 lit. a GDPR), Legitimate Interests (Art. 6 Para. 1 Sentence 1 lit. f GDPR).

Further Information on Processing, Procedures, and Services:

YouTube Videos: Video content; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6 Para. 1 Sentence 1 lit. a GDPR); Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: Data Privacy Framework (DPF). Opt-Out: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Ad Personalization Settings: https://myadcenter.google.com/personalizationoff.

Data Deletion

The data we process will be deleted in accordance with legal requirements as soon as the consents allowing their processing are withdrawn or other permissions expire (e.g., if the purpose of processing these data has ceased or they are no longer necessary for the purpose).

If data is not deleted because it is required for other and legally permissible purposes, its processing will be limited to these purposes. That is, the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons or whose retention is necessary for the assertion, exercise, or defense of legal claims or to protect the rights of another natural or legal person.

Further information on the deletion of personal data may also be provided in the context of the individual privacy notices of this privacy policy.

Changes and Updates

We request that you regularly review the content of our privacy policy. We will update the privacy policy as soon as changes in the data processing we conduct make this necessary. We will inform you when changes require your participation (e.g., consent) or other individual notifications.

If we provide addresses and contact information for companies and organizations in this privacy policy, please note that addresses may change over time and verify the details before contacting them.

Created with the free privacy policy generator from Dr. Thomas Schwenke.

Impressum

Terms of Use

Privacy Policy

Data Protection

Good for You, Good for the Planet.